Regulatory approaches to enhance banks' cyber-security frameworks

August 2017

Recent high-profile cyber-attacks on financial institutions have focused attention on the need to strengthen cyber-security. Banks have the most public-facing products and services, and are thus significantly vulnerable to potential cyber-attacks. Consequently, cyber-risk is a major concern for most bank supervisors. However, only a handful of jurisdictions have specific regulatory and supervisory initiatives that seek to address banks' cyber-risk; these notably include Hong Kong SAR, Singapore, the United Kingdom and the United States. This paper therefore analyses the regulatory and supervisory frameworks for banks' cyber-risk in these jurisdictions. It notes that, while there may be different views on the need to specifically regulate cyber-risk or how prescriptive these regulations should be, some common regulatory requirements are now emerging. Moreover, the supervisory approaches to assessing banks' cyber-risk vulnerability and resilience seem to be converging towards a "threat-informed" or "intelligence-led" framework. The paper also offers some high-level policy considerations, which may be helpful for banking supervisory authorities contemplating or planning to introduce or enhance cyber-risk regulation and supervision for banks.